summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRepository QA checks <repo-qa-checks@gentoo.org>2017-02-21 00:14:56 +0000
committerRepository QA checks <repo-qa-checks@gentoo.org>2017-02-21 00:14:56 +0000
commit9e09973f92cbfed073dfb8cff7d69b442992d794 (patch)
tree001b5be8e180429654b34ca85a102ac6c1b6647b
parentMerge updates from master (diff)
parentAdd GLSA 201702-29 (diff)
downloadgentoo-9e09973f92cbfed073dfb8cff7d69b442992d794.tar.gz
gentoo-9e09973f92cbfed073dfb8cff7d69b442992d794.tar.bz2
gentoo-9e09973f92cbfed073dfb8cff7d69b442992d794.zip
Merge commit '13e3c79260d3a484acaf3620f484f6f4ab02614a'
-rw-r--r--metadata/glsa/glsa-201702-20.xml77
-rw-r--r--metadata/glsa/glsa-201702-21.xml71
-rw-r--r--metadata/glsa/glsa-201702-22.xml74
-rw-r--r--metadata/glsa/glsa-201702-23.xml61
-rw-r--r--metadata/glsa/glsa-201702-24.xml57
-rw-r--r--metadata/glsa/glsa-201702-25.xml53
-rw-r--r--metadata/glsa/glsa-201702-26.xml59
-rw-r--r--metadata/glsa/glsa-201702-27.xml65
-rw-r--r--metadata/glsa/glsa-201702-28.xml72
-rw-r--r--metadata/glsa/glsa-201702-29.xml64
10 files changed, 653 insertions, 0 deletions
diff --git a/metadata/glsa/glsa-201702-20.xml b/metadata/glsa/glsa-201702-20.xml
new file mode 100644
index 000000000000..c1e13ce4214f
--- /dev/null
+++ b/metadata/glsa/glsa-201702-20.xml
@@ -0,0 +1,77 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201702-20">
+ <title>Adobe Flash Player: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in Adobe Flash Player, the
+ worst of which allows remote attackers to execute arbitrary code.
+ </synopsis>
+ <product type="ebuild">flash</product>
+ <announced>2017-02-20</announced>
+ <revised>2017-02-20: 1</revised>
+ <bug>605314</bug>
+ <bug>609330</bug>
+ <access>remote</access>
+ <affected>
+ <package name="www-plugins/adobe-flash" auto="yes" arch="*">
+ <unaffected range="ge">24.0.0.221</unaffected>
+ <vulnerable range="lt">24.0.0.221</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>The Adobe Flash Player is a renderer for the SWF file format, which is
+ commonly used to provide interactive websites.
+ </p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Adobe Flash Player.
+ Please review the CVE identifiers referenced below for details.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker could possibly execute arbitrary code with the
+ privileges of the process or bypass security restrictions.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Adobe Flash users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose
+ "&gt;=www-plugins/adobe-flash-24.0.0.221"
+ </code>
+ </resolution>
+ <references>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2925">CVE-2017-2925</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2926">CVE-2017-2926</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2927">CVE-2017-2927</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2928">CVE-2017-2928</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2930">CVE-2017-2930</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2931">CVE-2017-2931</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2932">CVE-2017-2932</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2933">CVE-2017-2933</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2934">CVE-2017-2934</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2935">CVE-2017-2935</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2936">CVE-2017-2936</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2937">CVE-2017-2937</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2938">CVE-2017-2938</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2982">CVE-2017-2982</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2984">CVE-2017-2984</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2985">CVE-2017-2985</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2986">CVE-2017-2986</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2987">CVE-2017-2987</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2988">CVE-2017-2988</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2990">CVE-2017-2990</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2991">CVE-2017-2991</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2992">CVE-2017-2992</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2993">CVE-2017-2993</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2994">CVE-2017-2994</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2995">CVE-2017-2995</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2996">CVE-2017-2996</uri>
+ </references>
+ <metadata tag="requester" timestamp="2017-02-16T12:43:25Z">whissi</metadata>
+ <metadata tag="submitter" timestamp="2017-02-20T23:44:37Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201702-21.xml b/metadata/glsa/glsa-201702-21.xml
new file mode 100644
index 000000000000..68f1a9b4c5e9
--- /dev/null
+++ b/metadata/glsa/glsa-201702-21.xml
@@ -0,0 +1,71 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201702-21">
+ <title>Opus: User-assisted execution of arbitrary code</title>
+ <synopsis>A vulnerability in Opus could cause memory corruption.</synopsis>
+ <product type="ebuild">opus</product>
+ <announced>2017-02-20</announced>
+ <revised>2017-02-20: 1</revised>
+ <bug>605894</bug>
+ <access>remote</access>
+ <affected>
+ <package name="media-libs/opus" auto="yes" arch="*">
+ <unaffected range="ge">1.1.3-r1</unaffected>
+ <vulnerable range="lt">1.1.3-r1</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Opus is a totally open, royalty-free, highly versatile audio codec.</p>
+ </background>
+ <description>
+ <p>A large NLSF values could cause the stabilization code in
+ silk/NLSF_stabilize.c to wrap-around and have the last value in
+ NLSF_Q15[] to be negative, close to -32768.
+ </p>
+
+ <p>Under normal circumstances, the code will simply read from the wrong
+ table resulting in an unstable LPC filter. The filter would then go
+ through the LPC stabilization code at the end of silk_NLSF2A().
+ </p>
+
+ <p>Ultimately, the output audio would be garbage, but no worse than with
+ any other harmless bad packet.
+ </p>
+
+ <p>Please see the referenced upstream patch and Debian bug report below for
+ a detailed analysis.
+ </p>
+
+ <p>However, the original report was about a successful exploitation of
+ Android’s Mediaserver in conjunction with this vulnerability.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker could entice a user to open a specially crafted media
+ stream, possibly resulting in execution of arbitrary code with the
+ privileges of the process, or a Denial of Service condition.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Opus users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=media-libs/opus-1.1.3-r1"
+ </code>
+ </resolution>
+ <references>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-0381">CVE-2017-0381</uri>
+ <uri link="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851612#10">
+ Debian Bug 851612
+ </uri>
+ <uri link="https://git.xiph.org/?p=opus.git;a=commitdiff;h=70a3d641b">
+ Upstream patch
+ </uri>
+ </references>
+ <metadata tag="requester" timestamp="2017-02-16T12:24:20Z">whissi</metadata>
+ <metadata tag="submitter" timestamp="2017-02-20T23:45:02Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201702-22.xml b/metadata/glsa/glsa-201702-22.xml
new file mode 100644
index 000000000000..b18c72c2aac6
--- /dev/null
+++ b/metadata/glsa/glsa-201702-22.xml
@@ -0,0 +1,74 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201702-22">
+ <title>Mozilla Firefox: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in Mozilla Firefox, the
+ worst of which may allow execution of arbitrary code.
+ </synopsis>
+ <product type="ebuild">firefox</product>
+ <announced>2017-02-20</announced>
+ <revised>2017-02-20: 1</revised>
+ <bug>607138</bug>
+ <access>remote</access>
+ <affected>
+ <package name="www-client/firefox" auto="yes" arch="*">
+ <unaffected range="ge">45.7.0</unaffected>
+ <vulnerable range="lt">45.7.0</vulnerable>
+ </package>
+ <package name="www-client/firefox-bin" auto="yes" arch="*">
+ <unaffected range="ge">45.7.0</unaffected>
+ <vulnerable range="lt">45.7.0</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Mozilla Firefox is a popular open-source web browser from the Mozilla
+ Project.
+ </p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Mozilla Firefox. Please
+ review the CVE identifiers referenced below for details.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker could possibly execute arbitrary code with the
+ privileges of the process, cause a Denial of Service condition, bypass
+ access restriction, access otherwise protected information, or spoof
+ content via multiple vectors.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Mozilla Firefox users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=www-client/firefox-45.7.0"
+ </code>
+
+ <p>All Mozilla Firefox binary users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=www-client/firefox-bin-45.7.0"
+ </code>
+ </resolution>
+ <references>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5373">CVE-2017-5373</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5375">CVE-2017-5375</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5376">CVE-2017-5376</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5378">CVE-2017-5378</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5380">CVE-2017-5380</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5383">CVE-2017-5383</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5386">CVE-2017-5386</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5390">CVE-2017-5390</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5396">CVE-2017-5396</uri>
+ <uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/">
+ Mozilla Foundation Security Advisory 2017-02
+ </uri>
+ </references>
+ <metadata tag="requester" timestamp="2017-01-30T01:26:06Z">whissi</metadata>
+ <metadata tag="submitter" timestamp="2017-02-20T23:45:18Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201702-23.xml b/metadata/glsa/glsa-201702-23.xml
new file mode 100644
index 000000000000..4eae1027c53b
--- /dev/null
+++ b/metadata/glsa/glsa-201702-23.xml
@@ -0,0 +1,61 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201702-23">
+ <title>Dropbear: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in Dropbear, the worst of
+ which allows remote attackers to execute arbitrary code.
+ </synopsis>
+ <product type="ebuild">dropbear</product>
+ <announced>2017-02-20</announced>
+ <revised>2017-02-20: 1</revised>
+ <bug>605560</bug>
+ <access>remote</access>
+ <affected>
+ <package name="net-misc/dropbear" auto="yes" arch="*">
+ <unaffected range="ge">2016.74</unaffected>
+ <vulnerable range="lt">2016.74</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Dropbear is an SSH server and client designed with a small memory
+ footprint.
+ </p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Dropbear. Please review
+ the CVE identifiers referenced below for details.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker could possibly execute arbitrary code with root
+ privileges if usernames containing special characters can be created on a
+ system. Also, a dbclient user who can control username or host arguments
+ could potentially run arbitrary code with the privileges of the process.
+ </p>
+
+ <p>In addition, a remote attacker could entice a user to process a
+ specially crafted SSH key using dropbearconvert, possibly resulting in
+ execution of arbitrary code with the privileges of the process or a
+ Denial of Service condition.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Dropbear users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=net-misc/dropbear-2016.74"
+ </code>
+ </resolution>
+ <references>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7406">CVE-2016-7406</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7407">CVE-2016-7407</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7408">CVE-2016-7408</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7409">CVE-2016-7409</uri>
+ </references>
+ <metadata tag="requester" timestamp="2017-02-05T22:53:36Z">b-man</metadata>
+ <metadata tag="submitter" timestamp="2017-02-20T23:45:39Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201702-24.xml b/metadata/glsa/glsa-201702-24.xml
new file mode 100644
index 000000000000..1e92964d19b7
--- /dev/null
+++ b/metadata/glsa/glsa-201702-24.xml
@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201702-24">
+ <title>LibVNCServer/LibVNCClient: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in
+ LibVNCServer/LibVNCClient, the worst of which allows remote attackers to
+ execute arbitrary code when connecting to a malicious server.
+ </synopsis>
+ <product type="ebuild">libvncserver</product>
+ <announced>2017-02-20</announced>
+ <revised>2017-02-20: 1</revised>
+ <bug>605326</bug>
+ <access>remote</access>
+ <affected>
+ <package name="net-libs/libvncserver" auto="yes" arch="*">
+ <unaffected range="ge">0.9.11</unaffected>
+ <vulnerable range="lt">0.9.11</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>LibVNCServer/LibVNCClient are cross-platform C libraries that allow you
+ to easily implement VNC server or client functionality in your program.
+ </p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in LibVNCServer and
+ LibVNCClient. Please review the CVE identifiers referenced below for
+ details.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker could entice a user to connect to a malicious VNC
+ server or leverage Man-in-the-Middle attacks to cause the execution of
+ arbitrary code with the privileges of the user running a VNC client
+ linked against LibVNCClient.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All LibVNCServer/LibVNCClient users should upgrade to the latest
+ version:
+ </p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=net-libs/libvncserver-0.9.11"
+ </code>
+ </resolution>
+ <references>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9941">CVE-2016-9941</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9942">CVE-2016-9942</uri>
+ </references>
+ <metadata tag="requester" timestamp="2017-02-05T22:55:00Z">b-man</metadata>
+ <metadata tag="submitter" timestamp="2017-02-20T23:45:56Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201702-25.xml b/metadata/glsa/glsa-201702-25.xml
new file mode 100644
index 000000000000..0cedc9ab6abd
--- /dev/null
+++ b/metadata/glsa/glsa-201702-25.xml
@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201702-25">
+ <title>libass: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in libass, the worst of
+ which have unknown impacts.
+ </synopsis>
+ <product type="ebuild">libass</product>
+ <announced>2017-02-20</announced>
+ <revised>2017-02-20: 1</revised>
+ <bug>596422</bug>
+ <access>remote</access>
+ <affected>
+ <package name="media-libs/libass" auto="yes" arch="*">
+ <unaffected range="ge">0.13.4</unaffected>
+ <vulnerable range="lt">0.13.4</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>libass is a portable subtitle renderer for the ASS/SSA (Advanced
+ Substation Alpha/Substation Alpha) subtitle format.
+ </p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in libass. Please review
+ the CVE identifiers referenced below for details.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A remote attacker could cause a Denial of Service condition or other
+ unknown impacts via unknown attack vectors.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All libass users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=media-libs/libass-0.13.4"
+ </code>
+ </resolution>
+ <references>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7969">CVE-2016-7969</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7970">CVE-2016-7970</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7971">CVE-2016-7971</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7972">CVE-2016-7972</uri>
+ </references>
+ <metadata tag="requester" timestamp="2017-02-05T23:35:59Z">b-man</metadata>
+ <metadata tag="submitter" timestamp="2017-02-20T23:46:16Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201702-26.xml b/metadata/glsa/glsa-201702-26.xml
new file mode 100644
index 000000000000..fc86cf20f8d0
--- /dev/null
+++ b/metadata/glsa/glsa-201702-26.xml
@@ -0,0 +1,59 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201702-26">
+ <title>Nagios: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in Nagios, the worst of
+ which could lead to privilege escalation.
+ </synopsis>
+ <product type="ebuild">nagios</product>
+ <announced>2017-02-21</announced>
+ <revised>2017-02-21: 1</revised>
+ <bug>595194</bug>
+ <bug>598104</bug>
+ <bug>600864</bug>
+ <bug>602216</bug>
+ <access>local, remote</access>
+ <affected>
+ <package name="net-analyzer/nagios-core" auto="yes" arch="*">
+ <unaffected range="ge">4.2.4</unaffected>
+ <vulnerable range="lt">4.2.4</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Nagios is an open source host, service and network monitoring program.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Nagios. Please review
+ the CVE identifiers referenced below for details.
+ </p>
+ </description>
+ <impact type="high">
+ <p>A local attacker, who either is already Nagios’s system user or
+ belongs to Nagios’s group, could potentially escalate privileges.
+ </p>
+
+ <p>In addition, a remote attacker could read or write to arbitrary files by
+ spoofing a crafted response from the Nagios RSS feed server.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Nagios users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=net-analyzer/nagios-core-4.2.4"
+ </code>
+ </resolution>
+ <references>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4796">CVE-2008-4796</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7313">CVE-2008-7313</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8641">CVE-2016-8641</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9565">CVE-2016-9565</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9566">CVE-2016-9566</uri>
+ </references>
+ <metadata tag="requester" timestamp="2017-01-30T01:56:03Z">whissi</metadata>
+ <metadata tag="submitter" timestamp="2017-02-21T00:04:00Z">b-man</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201702-27.xml b/metadata/glsa/glsa-201702-27.xml
new file mode 100644
index 000000000000..e65aec7e17cf
--- /dev/null
+++ b/metadata/glsa/glsa-201702-27.xml
@@ -0,0 +1,65 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201702-27">
+ <title>Xen: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in Xen, the worst of which
+ could lead to the execution of arbitrary code on the host system.
+ </synopsis>
+ <product type="ebuild">xen</product>
+ <announced>2017-02-21</announced>
+ <revised>2017-02-21: 1</revised>
+ <bug>607840</bug>
+ <bug>609160</bug>
+ <access>local</access>
+ <affected>
+ <package name="app-emulation/xen" auto="yes" arch="*">
+ <unaffected range="ge">4.7.1-r5</unaffected>
+ <vulnerable range="lt">4.7.1-r5</vulnerable>
+ </package>
+ <package name="app-emulation/xen-tools" auto="yes" arch="*">
+ <unaffected range="ge">4.7.1-r6</unaffected>
+ <vulnerable range="lt">4.7.1-r6</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>Xen is a bare-metal hypervisor.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in Xen. Please review the
+ CVE identifiers and Xen Security Advisory referenced below for details.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A local attacker could potentially execute arbitrary code with
+ privileges of Xen (QEMU) process on the host, gain privileges on the host
+ system, cause a Denial of Service condition, or obtain sensitive
+ information.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All Xen users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=app-emulation/xen-4.7.1-r5"
+ </code>
+
+ <p>All Xen Tools users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose
+ "&gt;=app-emulation/xen-tools-4.7.1-r6"
+ </code>
+ </resolution>
+ <references>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2615">CVE-2017-2615</uri>
+ <uri link="https://xenbits.xen.org/xsa/advisory-207.html">XSA-207</uri>
+ <uri link="https://xenbits.xen.org/xsa/advisory-208.html">XSA-208</uri>
+ </references>
+ <metadata tag="requester" timestamp="2017-02-16T18:01:38Z">whissi</metadata>
+ <metadata tag="submitter" timestamp="2017-02-21T00:04:19Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201702-28.xml b/metadata/glsa/glsa-201702-28.xml
new file mode 100644
index 000000000000..dc8de74927c8
--- /dev/null
+++ b/metadata/glsa/glsa-201702-28.xml
@@ -0,0 +1,72 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201702-28">
+ <title>QEMU: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in QEMU, the worst of
+ which could lead to the execution of arbitrary code on the host system.
+ </synopsis>
+ <product type="ebuild">qemu</product>
+ <announced>2017-02-21</announced>
+ <revised>2017-02-21: 1</revised>
+ <bug>606264</bug>
+ <bug>606720</bug>
+ <bug>606722</bug>
+ <bug>607000</bug>
+ <bug>607100</bug>
+ <bug>607766</bug>
+ <bug>608034</bug>
+ <bug>608036</bug>
+ <bug>608038</bug>
+ <bug>608520</bug>
+ <bug>608728</bug>
+ <access>local</access>
+ <affected>
+ <package name="app-emulation/qemu" auto="yes" arch="*">
+ <unaffected range="ge">2.8.0-r1</unaffected>
+ <vulnerable range="lt">2.8.0-r1</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>QEMU is a generic and open source machine emulator and virtualizer.</p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in QEMU. Please review the
+ CVE identifiers referenced below for details.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>A local attacker could potentially execute arbitrary code with
+ privileges of QEMU process on the host, gain privileges on the host
+ system, cause a Denial of Service condition, or obtain sensitive
+ information.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All QEMU users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=app-emulation/qemu-2.8.0-r1"
+ </code>
+ </resolution>
+ <references>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10155">
+ CVE-2016-10155
+ </uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2615">CVE-2017-2615</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5525">CVE-2017-5525</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5552">CVE-2017-5552</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5578">CVE-2017-5578</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5579">CVE-2017-5579</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5667">CVE-2017-5667</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5856">CVE-2017-5856</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5857">CVE-2017-5857</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5898">CVE-2017-5898</uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5931">CVE-2017-5931</uri>
+ </references>
+ <metadata tag="requester" timestamp="2017-02-16T18:41:09Z">whissi</metadata>
+ <metadata tag="submitter" timestamp="2017-02-21T00:04:45Z">whissi</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201702-29.xml b/metadata/glsa/glsa-201702-29.xml
new file mode 100644
index 000000000000..d6e26f8aa7f6
--- /dev/null
+++ b/metadata/glsa/glsa-201702-29.xml
@@ -0,0 +1,64 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201702-29">
+ <title>PHP: Multiple vulnerabilities</title>
+ <synopsis>Multiple vulnerabilities have been found in PHP, the worst of which
+ could lead to arbitrary code execution or cause a Denial of Service
+ condition.
+ </synopsis>
+ <product type="ebuild">php</product>
+ <announced>2017-02-21</announced>
+ <revised>2017-02-21: 1</revised>
+ <bug>604776</bug>
+ <bug>606626</bug>
+ <access>remote</access>
+ <affected>
+ <package name="dev-lang/php" auto="yes" arch="*">
+ <unaffected range="ge" slot="5.6">5.6.30</unaffected>
+ <vulnerable range="lt" slot="5.6">5.6.30</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>PHP is a widely-used general-purpose scripting language that is
+ especially suited for Web development and can be embedded into HTML.
+ </p>
+ </background>
+ <description>
+ <p>Multiple vulnerabilities have been discovered in PHP. Please review the
+ CVE identifiers referenced below for details.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>An attacker could possibly execute arbitrary code or create a Denial of
+ Service condition.
+ </p>
+ </impact>
+ <workaround>
+ <p>There is no known workaround at this time.</p>
+ </workaround>
+ <resolution>
+ <p>All PHP 5.6 users should upgrade to the latest version:</p>
+
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=dev-lang/php-5.6.30:5.6"
+ </code>
+ </resolution>
+ <references>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10158">
+ CVE-2016-10158
+ </uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10159">
+ CVE-2016-10159
+ </uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10160">
+ CVE-2016-10160
+ </uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10161">
+ CVE-2016-10161
+ </uri>
+ <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9935">CVE-2016-9935</uri>
+ </references>
+ <metadata tag="requester" timestamp="2017-01-18T23:06:15Z">b-man</metadata>
+ <metadata tag="submitter" timestamp="2017-02-21T00:05:07Z">whissi</metadata>
+</glsa>